What are IT pros most concerned about heading into 2013? The annual State of the Endpoint Report sponsored by Lumension and conducted by Ponemon Institute reveals APTs and mobile devices pose the biggest security threat to organizations in the coming year. Unfortunately, respondents also demonstrated a disconnect between their identified risk and planned security spend as well as a significant need for improved internal collaboration.
This presentation by Larry Ponemon of the Ponemon Institute and Paul Zimski of Lumension reveals statistics on growing insecurity, IT’s perceived areas of greatest risk for 2013 as well as tactical suggestions for how to improve your endpoint security. Specifically, you will learn:
•IT perspective on today’s Top 3 risks;
•Disconnect between perceived risk and corresponding strategies to combat those threats;
•Tips and tricks on how to best communicate today’s threats and subsequent needed responses up the management chain
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
Greatest IT Security Risks of 2013: Annual State of the Endpoint Report
1. 2013 State of the Endpoint
Presentation by Dr. Larry Ponemon
December 5, 2012
2. About Ponemon Institute
• Ponemon Institute conducts independent research on cyber security, data
protection and privacy issues.
• Since our founding 11+ years ago our mission has remained constant, which is
to enable organizations in both the private and public sectors to have a clearer
understanding of the practices, enabling technologies and potential threats that
will affect the security, reliability and integrity of information assets and IT
systems.
• Ponemon Institute research informs organizations on how to improve upon their
data protection initiatives and enhance their brand and reputation as a trusted
enterprise.
• In addition to research, Ponemon Institute offers independent assessment and
strategic advisory services on privacy and data protection issues. The Institute
also conducts workshops and training programs.
• The Institute is frequently engaged by leading companies to assess their privacy
and data protection activities in accordance with generally accepted standards
and practices on a global basis.
• The Institute also performs customized benchmark studies to help organizations
identify inherent risk areas and gaps that might otherwise trigger regulatory
action.
12/4/2012 Ponemon Institute: Private & Confidential Information 2
3. Introduction
• Since 2010, Ponemon Institute and Lumension have tracked endpoint risk
in organizations, the resources to address the risk and the technologies
deployed to manage threats.
• This study reveals that the state of endpoint risk is not improving. One of the
top concerns is the proliferation of personally owned mobile devices in the
workplace such as smart phones and iPads.
• Malware attacks are increasing and are having a significant impact on IT
operating expenses. Advanced persistent threats and hactivism pose the
biggest headache to IT security pros.
12/4/2012 Ponemon Institute: Private & Confidential Information 3
4. Methods
A random sampling frame of 17,744 IT and IT security practitioners located in all regions
of the United States were selected as participants to this survey. As shown below, 923
respondents completed the survey. Screening removed 178 surveys and an additional 74
surveys that failed reliability checks were removed. The final sample was 671 surveys
(or a 3.8 percent response rate).
Sample response FY 2012 FY 2011 FY 2010
Total sampling frame 17,744 18,988 11,890
Total returns 923 911 782
Rejected surveys 74 80 65
Screened surveys 178 143 153
Final sample 671 688 564
Response Rate 3.8% 3.6% 4.7%
12/4/2012 Ponemon Institute: Private & Confidential Information 4
5. Distribution of respondents according to
primary industry classification
2%
2% 2%
3% Financial Services
3% 20%
Health & pharmaceuticals
3%
Public Sector
4% Retailing
Services
5% Technology & software
Hospitality
Industrial
5% 12%
Education & research
Energy
5% Consumer products
Communications
Entertainment & media
7% 10% Agriculture
Defense
8% 9% Transportation
12/4/2012 Ponemon Institute: Private & Confidential Information 5
6. What organizational level best describes
your current position?
3% 3%
7% 19%
Director
Manager
Supervisor
Technician
23%
Staff
Contractor
26% Other
19%
12/4/2012 Ponemon Institute: Private & Confidential Information 6
7. The primary person you or the IT
security leader reports to within the
organization
3% 1%
4%
6%
Chief Information Officer
9% Chief Information Security Officer
Chief Risk Officer
Compliance Officer
54%
Chief Security Officer
23% General Counsel
Chief Financial Officer
12/4/2012 Ponemon Institute: Private & Confidential Information 7
8. Worldwide headcount
4% 7%
19%
16% Less than 500 people
500 to 1,000 people
1,001 to 5,000 people
5,001 to 25,000 people
25,001 to 75,000 people
21% More than 75,000 people
33%
12/4/2012 Ponemon Institute: Private & Confidential Information 8
11. IT security risks considered to be on the rise
Three choices permitted in 2010 and 5 choices permitted in 2011 and 2012
73%
Mobile devices 48%
9%
67%
Across 3rd party applications 56%
45%
53%
Mobile/remote employees 49%
44%
45%
Our PC desktop/laptop 41%
44%
44%
Negligent insider risk * 43%
41%
Cloud computing infrastructure & providers 43%
18%
39%
Removable media and/or media (CDs, DVDs) 42%
10%
0% 10% 20% 30% 40% 50% 60% 70% 80%
* This choice was not available for all fiscal years
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 11
12. IT security risks believed to be
decreasing or staying the same
Three choices permitted in 2010 and 5 choices permitted in 2011
and 2012
36%
Lack of organizational alignment * 39%
25%
Lack of system connectivity/visibility * 29%
19%
Virtual computing environments 28%
20%
19%
Our server environment 29%
32%
15%
Malicious insider risk * 16%
10%
Network infrastructure environment 14%
11%
8%
Within operating systems 10%
11%
6%
Our data centers 12%
14%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
* This choice was not available for all fiscal years
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 12
13. Is your IT network more secure now
than it was a year ago?
50%
46%
45%
41%
40%
36% 36%
35% 33% 34%
30% 28%
25%
25%
21%
20%
15%
10%
5%
0%
FY 2012 FY 2011 FY 2010
Yes No Unsure
12/4/2012 Ponemon Institute: Private & Confidential Information 13
14. IT security risks of most concern since 2010
More than three choices permitted in 2010 and 3 choices permitted in
2011 and 2012
47%
Increased use of mobile platforms * 36%
36%
Advanced persistent threats 24%
24%
22%
Intrusions and data loss within virtual
23%
environments
13%
0% 10% 20% 30% 40% 50%
* This choice was not available for all fiscal years
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 14
15. IT security risks that have declined or
stayed the same
More than three choices permitted in 2010 and 3 choices
permitted in 2011 and 2012
15%
Negligent insider risk 28%
50%
30%
Growing volume of malware 29%
61%
28%
Use of insecure cloud computing resources 31%
49%
30%
Insufficient budget resources 32%
47%
31%
Increasingly sophisticated & targeted cyber attackers 26%
40%
12%
Malicious insider risk 11%
19%
6%
Inability to measure policy compliance * 12%
Insufficient collaboration among IT & business operations 13%
16%
*
Lack of integration between endpoint operations & 18%
17%
security technologies 20%
12%
Lack of an organizational wide security strategy * 13%
0% 20% 40% 60% 80%
* This choice was not available for all fiscal years
FY 2012 FY 2011 FY 2010*
12/4/2012 Ponemon Institute: Private & Confidential Information 15
17. Mobile devices pose a significant security risk
Strongly agree and agree response combined
90%
80%
80%
74%
70%
60%
50%
40%
30%
20%
10%
0%
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 17
18. Technologies expected to increase in
the next 12 to 24 months
Substantial increase and increase response combined
75%
Mobile devices / smart phones
70%
63%
Use of 3rd party cloud computing infrastructure
56%
61%
Virtualized environments
52%
53%
Use of internal cloud computing infrastructure
35%
Security event and incident management *
45%
Social media / Web 2.0 *
72%
0% 10% 20% 30% 40% 50% 60% 70% 80%
This choice was not available for FY 2012
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 18
19. Important mobile device management
features
Three choices permitted
70%
Provisioning and access policy management
62%
65%
Virus and malware detection or prevention
55%
44%
Encryption and other data loss technologies
49%
43%
Asset tracking
47%
39%
Anti-theft features
42%
38%
Remote wipe capability
41%
1%
Other
3%
0% 10% 20% 30% 40% 50% 60% 70% 80%
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 19
20. Personal mobile device use in the
workplace
40%
35% 34%
30% 29%
28%
25% 23%
20%
20% 18%
16%
15% 13%
10%
7% 7%
5% 3%
2%
0%
None 1 to 25% 26 to 50% 51 to 75% More than 75% Cannot determine
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 20
21. Security policy for employee owned
devices
50%
46%
45%
40% 39%
35%
30% 29%
25%
21% 21%
20% 19%
15% 13% 12%
10%
5%
0%
No No, but we plan to Yes, we secure them Yes, we use stricter
similar to corporate devices standards than we do for
corporate devices
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 21
22. Most vulnerable third-party applications
Three choices permitted
55%
Google Docs 47%
46%
55%
Adobe 50%
54%
44%
Microsoft OS/applications 49%
57%
40%
General 3rd party apps outside of Microsoft 46%
58%
30%
Apple/Mac OS 24%
15%
28%
Apple apps 20%
14%
18%
VMware 20%
17%
15%
Oracle applications 22%
10%
11%
WinZip 16%
19%
3%
Mozilla Firefox 6%
2%
0%
Other 1%
4%
0% 10% 20% 30% 40% 50% 60% 70%
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 22
24. Monthly malware attempts or incidents
50%
45% 43%
40%
35% 35%
35% 32%
30% 27%
25% 23%
21% 20%
20%
15% 13%
11% 11%
10% 9% 9%
6%
5% 2% 3%
0%
Less than 5 5 to 10 11 to 25 26 to 50 More than 50 Not sure
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 24
25. Changes in malware incidents over the
past year
40%
37%
35%
31%
30%
26%
25% 25%
25%
22% 22%
21%
20%
18%
17%
15%
15% 14%
10% 9%
8% 8%
5%
0%
Yes, major increase Yes, but only slight increase No, they stayed the same No, they have decreased Not sure
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 25
26. Most frequent and annoying incidents
More than one choice permitted
General malware 86%
2%
Web-borne malware attacks 79%
3%
Rootkits 65%
4%
Botnet attacks 55%
8%
Advanced persistent threats / Targeted attacks* 54%
25%
Spyware 45%
0%
Clickjacking 43%
7%
Hacktivism 41%
15%
Zero day attacks 31%
13%
SQL injection 29%
12%
Exploit existing software vulnerability < 3 months 28%
5%
Exploitexisting software vulnerability > 3 months 26%
6%
Other 5%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
*Termed Targeted Attacks in the 2011 survey
Which incidents are you seeing frequently in your organization’s IT networks?
Which one incident represents your biggest headache?
12/4/2012 Ponemon Institute: Private & Confidential Information 26
27. IT operating costs increase due to malware
50%
45% 43%
41% 40%
40%
35% 32%
30% 28% 29%
25%
21% 22%
20%
15% 14% 14%
10% 8% 8%
5%
0%
Very significant Significant Some significance None
FY 2012 FY 2011 FY 2010
12/4/2012 Ponemon Institute: Private & Confidential Information 27
29. IT security budget changes from last year
60%
56%
50% 48%
40%
29%
30%
25%
20%
12% 11%
10% 9%
10%
0%
Increase Stay the same Decrease Unsure
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 29
30. Collaboration between IT operations and IT security
60%
50% 48%
46%
41% 40%
40%
30%
20%
13% 12%
10%
0%
Collaboration is excellent Collaboration is adequate, but can Collaboration is poor or non-existent
be improved
FY 2012 FY 2011
12/4/2012 Ponemon Institute: Private & Confidential Information 30
31. Admin privileges allowed
45%
41%
40%
40%
35%
30%
25%
20% 19%
15%
10%
5%
0%
No Yes, to part of the user environment Yes, to the entire user environment
12/4/2012 Ponemon Institute: Private & Confidential Information 31
32. Greatest challenges in meeting federal
compliance regulations
Two choices permitted
Lack of resources 75%
Increasing audit burden 73%
Explaining issues and requirements to management 15%
Inconsistent reporting 11%
Manual data collection 9%
None of the above 12%
0% 10% 20% 30% 40% 50% 60% 70% 80%
12/4/2012 Ponemon Institute: Private & Confidential Information 32
33. Impact of external compliance
requirements on IT security function
Two choices permitted
More personnel and funding for meeting compliance
56%
initiatives
More funding for purchasing security technologies 53%
Better understanding of organizational IT risk 24%
Improved control procedures 20%
Requirements to update or create new policies 12%
Requirements to update or create new training
10%
procedures
Formal audits to ensure policy enforcement 9%
None of the above 13%
0% 10% 20% 30% 40% 50% 60%
12/4/2012 Ponemon Institute: Private & Confidential Information 33
35. Technologies in use or to be invested in
over the next 12 months
More than one choice permitted
60%
55% 55%
49%
50% 47%
45%
42%
40% 38%
34%
30%
20%
10%
0%
Application control firewall Application Endpoint management and SEIM
control/whitelisting security suite
Current use of technology Expected increase in use of technology
12/4/2012 Ponemon Institute: Private & Confidential Information 35
36. Most effective tools for reducing IT risk
Fiscal years 2012 and 2011 limited to 5 choices
46%
Privilege management *
45%
Vulnerability assessment * 55%
70%
40%
Security event and incident management * 43%
40%
Endpoint management & security suites/platforms 41%
48%
39%
Endpoint firewall 43% FY 2012
59%
37% FY 2011
Device control 44%
57% FY 2010
37%
Application control firewall 42%
52%
36%
Application control/whitelisting 37%
44%
33%
Anti-virus & anti-malware 40%
57%
0% 10% 20% 30% 40% 50% 60% 70% 80%
* This choice not available for all fiscal years
12/4/2012 Ponemon Institute: Private & Confidential Information 36
37. Reasons for migrating to Windows 8
Two choices permitted
Efficiency and user productivity gains 43%
Improvements in security 38%
Improvements in speed and performance 37%
Stability of the operating system 33%
Interoperability issues with other systems 31%
Improvements in vendor support 19%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
12/4/2012 Ponemon Institute: Private & Confidential Information 37
39. The existence and enforcement of cloud
security policies
50%
45%
45%
40% 41%
40%
36%
35%
30%
25% 24%
20%
15% 14%
10%
5%
0%
Yes No Unsure
Does your organization have a centralized cloud security policy?
Do you enforce employees’ use of private clouds?
12/4/2012 Ponemon Institute: Private & Confidential Information 39
40. Conclusion & Recommendations
• Create acceptable use policies for personally owned devices in the
workplace.
• Conduct risk assessments and consider the use of an integrated endpoint
security suite that includes vulnerability assessment, device control, anti-
virus and anti-malware.
• Establish governance practices for privileged users at the device level to
define acceptable use of mobile, BYOD and corporate-owned asset as well
as limit the installation of third-party applications.
• Ensure that policies and procedures clearly state the importance of
protecting sensitive and confidential information stored in the cloud.
• To better address the difficulties in managing the endpoint risk, collaboration
between IT operations and IT security should be improved to achieve a
better allocation of resources and the creation of strategies to address risks
associated with hacktivism, BYOD, third-party applications and cloud
computing.
12/4/2012 Ponemon Institute: Private & Confidential Information 40
41. Caveats
• There are inherent limitations to survey research that need to be carefully considered
before drawing inferences from findings. The following items are specific limitations
that are germane to most web-based surveys.
• Non-response bias: The current findings are based on a sample of survey returns.
We sent surveys to a representative sample of individuals, resulting in a large number
of usable returned responses. Despite non-response tests, it is always possible that
individuals who did not participate are substantially different in terms of underlying
beliefs from those who completed the instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree
to which the list is representative of individuals who are IT or IT security practitioners.
We also acknowledge that the results may be biased by external events such as
media coverage. We also acknowledge bias caused by compensating subjects to
complete this research within a holdout period.
• Self-reported results: The quality of survey research is based on the integrity of
confidential responses received from subjects. While certain checks and balances
can be incorporated into the survey process, there is always the possibility that a
subject did not provide a truthful response.
12/4/2012 Ponemon Institute: Private & Confidential Information 41
42. Questions?
Ponemon Institute
www.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
research@ponemon.org